How does eCollect process data according to the new GDPR?

Helene Mueller
eCollect support team

With regard to the new European General Data Protection Regulation (EU -GDPR), which comes into force on 25 May 2018, eCollect AG in its capacity as a debt collection service provider is acting as a data controller in its relationship with its clients within the meaning of the GDPR.

Receivables management by eCollect AG as data controller in the sense of the new GDPR.

We process the data transmitted to us for the purpose of enforcing the claims of our clients and within the scope of our receivables management. Furthermore, our company independently determines the purposes of processing and the exact measures to be taken to enforce claim and is not bound by client’s instructions. We also manage the concrete measures for data-based optimization of receivables management. Therefore, eCollect AG does not process personal data as a processor on behalf of a data controller within the meaning of Art. 28 para. 1 GDPR, but acts on its own responsibility within the agreed contractual framework. For this reason, no additional contractual arrangements with our clients are required for data processing.

Our company acts on the basis of legal permission regulations, which are directly derived from the GDPR. First, according to Art. 6 para. 1 lit. b), the processing of personal data is always permissible if it is necessary for the performance of a contract to which the data subject is a party. This is without doubt the case when enforcing open claims for delayed payments and contractually justified compensations for damages. On the other hand, Art. 6 (1) (f) constitutes the processing of personal data which is necessary to protect the legitimate interests of the data controller (of the collection service provider) or a third party (of the client). Processing is therefore also justified by the legitimate interest in the execution of collection activities as a generally recognized service in the interest of a functioning economy. The data processing carried out by us for the enforcement of claims is therefore directly based on the law and does not require the consent of the data subjects.

Where is the personal data stored at eCollect AG?

The personal data provided by our clients are stored exclusively on the servers of eCollect AG. All servers are located in a data center at a secure location in the Canton of Zug, Switzerland. For security reasons, in order to adequately protect the physical location of the servers, the name and exact address of the data center are not explicitly mentioned here. The data center meets the strictest standards for information security, storage, operation and security of computer servers and is equipped with state-of-the-art security mechanisms. Security personnel, locking and surveillance systems, surveillance cameras, extinguishing devices and redundant air conditioning ensure the necessary security. An uninterruptible power supply (UPS) with triple redundancy and 99.9 % network availability is provided.

All data is only stored centrally. Storage on local data carriers is not permitted. Data access is only possible via the system software solutions.

How is personal data protected at eCollect AG?

In accordance with the provisions of the GDPR, we have taken a number of technical and organisational measures to ensure effective data protection in the areas of general and automated processing of personal data and the use of network and telecommunications channels in compliance with the law. The measures we take are state of the art, regularly updated and adapted to the latest developments in our system and are periodically reviewed.

Data protection risks are sufficiently minimized at eCollect AG through the development and implementation of an in-house system (eCollect system) with a secure system architecture. The personal data is logically separated from each other. There is an independent access management for the assignment of individual access authorizations. Depending on the different task distribution, individual access authorizations are defined so that personal data cannot be read, copied, changed or removed without authorization after it has been stored.

Each system has its own Linux firewall with Stateful Inspection, Malformed Packet Protection, Fragmented Packet Reassembly and Static Blocked Sources List.

Databases include transactional RDBMS and aggregation No-SQL databases, all instances are properly managed with strict authorization and authentication at application and user level. Proprietary server software applications are exclusively developed by an internal IT team with release and QA control and procedures. The correct code evaluation is regularly checked for potential exploits and potential violations through web services and public API interfaces. All public communication is encrypted using the HTTPS protocol. Encryption with digital certificates ensures that data is transmitted securely. All our SSL/TTL certificates are issued by DigiCert Inc. Where encryption is used, the key management process is followed.

How can I contact the persons responsible for data protection at eCollect AG?

You can contact the persons responsible for data protection within eCollect AG at any time at the following e-mail address: We place particular emphasis on strictly observing our statutory duties to provide information, to respond to queries of data subjects in due time or to make notifications, deletions, etc. in accordance with the law. We are happy to support our clients with data-related inquiries from data subjects, provided that we have the relevant information at our disposal for the enforcement of claims.